Legal

Platform terms

These terms govern authenticated tenant usage of the Cyber Risk Intelligence Platform. We have written them in plain language. Where a formal signed agreement exists between your organisation and CyberSec Consultants, the signed agreement takes precedence.

Canonical artefact metadata

Owner
CyberSec Legal and Trust Office
Approver
CyberSec Executive Governance
Version
1.0.0
Last reviewed
2026-04-20
Next review due
2026-10-20

What this covers

This page summarises the key commitments and responsibilities that apply when you access the platform as an authenticated tenant. It covers access and use, data ownership, authorised users, acceptable use, service suspension, and what happens when access ends.

Tenant responsibilities

You are responsible for managing access to your workspace. This means:

  • Maintaining an accurate user list.You must ensure that users who should no longer have access are removed promptly. A user's actions within your workspace are treated as your organisation's actions.
  • Keeping credentials secure. You are responsible for the confidentiality of passwords, session access, and API keys associated with your workspace. We are not liable for loss or damage arising from a failure to keep credentials secure.
  • Ingesting data lawfully. You are responsible for ensuring that any data you upload or ingest through integrations is data you have the right to process on the platform.
  • Using the platform for its intended purpose.The platform is for managing your organisation's cyber risk posture. Resale, sublicensing, or providing similar services to third parties using the platform requires our prior written consent.

Data ownership and confidentiality

You own your data. The risk records, findings, assessments, and governance artefacts in your workspace belong to your organisation. You grant us the right to process that data solely to provide the platform services to you.

We do not sell your data.We do not sell, rent, or make available your data or your users' personal information to any third parties. We do not derive commercial data products from your workspace data.

Third-party providers. We use best-of-breed cloud infrastructure and service providers to deliver the platform. We select partners carefully and limit what data is exposed to them to what is operationally necessary. We are not responsible for security issues arising from your direct interactions with third-party providers outside of our platform surface.

Confidentiality obligations governing information exchanged under a commercial agreement remain in force for five years after the end of that agreement.

Security and governance commitments

We commit to maintaining the platform to industry standards and employing appropriately qualified staff to deliver it. Our platform controls enforce tenant isolation, produce immutable governance snapshots, maintain append-only audit evidence, and apply explicit authorization checks for all privileged operations.

We perform regular backups of tenant data. In the event of a platform failure, we aim to restore full service within 24 hours from the most recent backup point.

Customer authorization for security services

If CyberSec is asked to perform penetration testing, validation work, or any other intrusive security service for your organisation, you represent that you have authority to authorize the testing against the in-scope systems, applications, infrastructure, and data and that you will obtain any required third-party approvals before work begins.

You must provide accurate scope information, technical points of contact, testing windows, and any relevant constraints, dependencies, or sensitive systems that could materially affect safe execution. You remain responsible for appropriate backups, internal coordination, and change control for your environment.

We may need to deploy or run testing tools, capture evidence, and temporarily access confidential or personal information as part of the authorized work. We will use reasonable care and confidentiality controls, but you acknowledge that intrusive testing can still create temporary disruption, performance degradation, or unintended effects. The signed engagement documents govern final risk allocation, liability limitations, and any indemnity or hold-harmless commitments.

Acceptable use and suspension

We may suspend workspace access immediately if:

  • There is evidence of attempted unauthorised access to the platform.
  • Your use poses a security threat to us or to other tenants.
  • There is evidence of fraud on your account.
  • The platform is being used for an illegal purpose or in a way that infringes third-party rights.

Suspension does not result in intentional deletion of your data. We will contact you regarding the circumstances as soon as practicably possible.

End of service and data handling

When access to the platform ends — whether by cancellation, non-renewal, or agreement termination:

  • Platform access is revoked and you will no longer be able to log in or call the API.
  • Any outstanding amounts due become immediately payable.
  • Unless the law prevents it, we may erase your workspace data after the end of the service relationship. We do not have an obligation to retrieve your data or provide data-export assistance after access has ended — if you need an export, request it before termination.

Termination of the service relationship does not create any expectation of continued access, automatic renewal, or further agreement between the parties.

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure